1 / 3

Pentesting JWT It is essential to understand

JWT stands for JSON Web Token, an open standard designed for securely sharing information between a client and a server. Each JWT consists of encoded JSON objects that contain a set of claims. These tokens are signed using a cryptographic algorithm to ensure the integrity of the claims, preventing any alterations after the token has been issued.<br><br>Contact us: 91 9900 53 7711<br>Please write to us: info@bornsec.com<br>Visit us: https://bornsec.com/<br><br>

Bornsec
Download Presentation

Pentesting JWT It is essential to understand

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Pentesting JWT: It is essential to understand What is JWT? JWT stands for JSON Web Token, an open standard designed for securely sharing information between a client and a server. Each JWT consists of encoded JSON objects that contain a set of claims. These tokens are signed using a cryptographic algorithm to ensure the integrity of the claims, preventing any alterations after the token has been issued. Know more about Pentesting JWT Structure of JWT? JWT Token consists of: HEADER, PAYLOAD, SIGNATURE HEADER: The Header consists of “Type” and “algorithm” TYPE denotes to token which is “JWT” and the signing algorithm being used, such as HMAC SHA256 or RSA PAYLOAD: The payload consists of claims (claims are statements). The types of claims are as follows: - Registered: Registered claims are predefined and recommended for use, though they are not mandatory. These claims help provide a set of useful and interoperable information. Examples include iss (issuer), exp (expiration time), sub (subject), and aud (audience). Public: Public claims are custom claims meant for public consumption and should be collision resistant. These claims may include generic information, such as the user’s name and email address. Private: These are the custom claims created to share information between parties that agree on using them and are neither registered nor public claims. Protect Your Business with Cutting-Edge Cybersecurity Services – Safeguard Your Data 24/7! SIGNATURE: The Signature of a JWT contains its cryptographic signature, composed of the base64 URL-encoded header and payload segments. Pen-testing JWT (JSON WEB TOKENS)

  2. Algorithm to None: As JWT supports no algorithm. An attacker can tamper with the alg with ‘none’ and log in as a legitimate user. STEPS: Acquire the JWT Token and change the alg to none. { "alg" : "none", "typ" : "JWT" } { "user" : "Admin" } Mitigation: It’s possible to acquire a JWT token and alter the algorithm to none. However, using the nonalgorithm is highly discouraged in production environments. RS256 to HS256: When an application utilizes the RS256 algorithm, it uses a private key to sign the token and a public key to verify it. An attacker might exploit this by creating an HS256 token and signing it with the public key. STEPS: It’s possible to acquire a JWT token and alter the algorithm to none. However, using the none algorithm is highly discouraged in production environments. openssl s_client -connect target.com:443 2>&1 < /dev/null | sed -n ‘/—–BEGIN/,/—–END/p’ > certificatechain.pem openssl x509 -pubkey -in certificatechain.pem -noout > pubkey.pem Now we can create our own HS256 Token by using the JOSEPH Burp extension. Mitigation: It’s advisable not to trust HS256 when RS256 is used. No Signature Verification: In some cases, an application may fail to validate the signature of a JWT. This vulnerability allows an attacker to bypass the security mechanisms. STEPS: An attacker can get into victim's account by removing the signature part from the JWT Token {

  3. "alg" : "HS256", "typ" : "JWT" } { "user" : "Admin" } Mitigation: It is recommended to validate the signature. How to prevent JWT attacks? Use strong encryption for the payload: It is recommended to use strong encryption algorithms, such as AES or RSA, to protect the payload. This ensures that even if an attacker intercepts the JWT, they cannot read the payload without the appropriate encryption key. Use secure signature algorithms: Using secure signature algorithms, such as RSA or ECDSA, is crucial in ensuring the integrity and authenticity of the JWT. Using a strong secret key is also important to prevent brute force attacks on the signature. Implement proper token management: Proper token management is essential for preventing JWT- related security issues. Tokens should be securely stored, regularly refreshed, and revoked when necessary to prevent unauthorized access. For instance, tokens should be revoked if a user logs out, changes their password, or if there is a suspected security breach. Validate the JWT on the server-side: It is important to validate the JWT on the server side to prevent tampering with the payload. This can be achieved by checking the signature, expiration time, and other relevant information before granting access to sensitive information. Learn more about JSON Web Token (JWT) Contact us: +91 9900 53 7711 Please write to us: info@bornsec.com Visit us: https://bornsec.com/

More Related